Search in sources :

Example 6 with WebResourcePermission

use of javax.security.jacc.WebResourcePermission in project Payara by payara.

the class JaccWebAuthorizationManager method isPermitAll.

public boolean isPermitAll(HttpServletRequest request) {
    boolean isPermitAll = false;
    WebResourcePermission webResourcePermission = createWebResourcePermission(request);
    if (uncheckedPermissionCache != null) {
        isPermitAll = uncheckedPermissionCache.checkPermission(webResourcePermission);
    }
    if (isPermitAll == false) {
        isPermitAll = checkPermissionWithoutCache(webResourcePermission, null);
    }
    return isPermitAll;
}
Also used : WebResourcePermission(javax.security.jacc.WebResourcePermission)

Example 7 with WebResourcePermission

use of javax.security.jacc.WebResourcePermission in project Payara by payara.

the class JaccWebAuthorizationManager method hasResourcePermission.

/**
 * Perform access control based on the <code>HttpServletRequest</code>. Return <code>true</code> if this constraint is
 * satisfied and processing should continue, or <code>false</code> otherwise.
 *
 * @return true is the resource is granted, false if denied
 */
public boolean hasResourcePermission(HttpServletRequest servletRequest) {
    SecurityContext securityContect = getSecurityContext(servletRequest.getUserPrincipal());
    WebResourcePermission webResourcePermission = createWebResourcePermission(servletRequest);
    setServletRequestForJACC(servletRequest);
    boolean isGranted = checkPermission(webResourcePermission, securityContect.getPrincipalSet());
    SecurityContext.setCurrent(securityContect);
    if (logger.isLoggable(FINE)) {
        logger.log(Level.FINE, "[Web-Security] hasResource isGranted: {0}", isGranted);
        logger.log(Level.FINE, "[Web-Security] hasResource perm: {0}", webResourcePermission);
    }
    recordWebInvocation(servletRequest, RESOURCE, isGranted);
    return isGranted;
}
Also used : WebResourcePermission(javax.security.jacc.WebResourcePermission) SecurityContext(com.sun.enterprise.security.SecurityContext)

Example 8 with WebResourcePermission

use of javax.security.jacc.WebResourcePermission in project Payara by payara.

the class JDKPolicyFileWrapper method removeExcludedPermissions.

// Should find a way to do this that preserves the argument PermissionCollection
// safe for now, because on EJBMethodPermission, WebResourcePermission, and
// WebUserDatePermissions are excluded, and none of these classes implement a
// custom collection.
private static PermissionCollection removeExcludedPermissions(PolicyConfigurationImpl policyConfiguration, PermissionCollection permissions) {
    PermissionCollection permissionsWithoutExcluded = permissions;
    Permissions excluded = getExcludedPolicy(policyConfiguration);
    if (excluded != null && excluded.elements().hasMoreElements()) {
        permissionsWithoutExcluded = null;
        boolean noneRemoved = true;
        for (Permission granted : list(permissions.elements())) {
            if (!grantedIsExcluded(granted, excluded)) {
                if (permissionsWithoutExcluded == null) {
                    permissionsWithoutExcluded = new Permissions();
                }
                permissionsWithoutExcluded.add(granted);
            } else {
                noneRemoved = false;
            }
        }
        if (noneRemoved) {
            permissionsWithoutExcluded = permissions;
        }
    }
    return permissionsWithoutExcluded;
}
Also used : PermissionCollection(java.security.PermissionCollection) Permissions(java.security.Permissions) MBeanPermission(javax.management.MBeanPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) WebResourcePermission(javax.security.jacc.WebResourcePermission) WebRoleRefPermission(javax.security.jacc.WebRoleRefPermission) Permission(java.security.Permission)

Example 9 with WebResourcePermission

use of javax.security.jacc.WebResourcePermission in project tomee by apache.

the class TomcatSecurityConstaintsToJaccPermissionsTransformer method buildPermissions.

private void buildPermissions() {
    for (URLPattern pattern : excludedPatterns.values()) {
        String name = pattern.getQualifiedPattern(allSet);
        String actions = pattern.getMethods();
        policyContext.getExcludedPermissions().add(new WebResourcePermission(name, actions));
        policyContext.getExcludedPermissions().add(new WebUserDataPermission(name, actions));
    }
    for (Map.Entry<String, Map<String, URLPattern>> entry : rolesPatterns.entrySet()) {
        Set<URLPattern> currentRolePatterns = new HashSet<URLPattern>(entry.getValue().values());
        for (URLPattern pattern : entry.getValue().values()) {
            String name = pattern.getQualifiedPattern(currentRolePatterns);
            String actions = pattern.getMethods();
            WebResourcePermission permission = new WebResourcePermission(name, actions);
            policyContext.addRole(entry.getKey(), permission);
            HTTPMethods methods = pattern.getHTTPMethods();
            int transportType = pattern.getTransport();
            addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
        }
    }
    for (URLPattern pattern : uncheckedPatterns.values()) {
        String name = pattern.getQualifiedPattern(allSet);
        HTTPMethods methods = pattern.getHTTPMethods();
        addOrUpdatePattern(uncheckedResourcePatterns, name, methods, URLPattern.NA);
        int transportType = pattern.getTransport();
        addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
    }
    /*
         * A <code>WebResourcePermission</code> and a
         * <code>WebUserDataPermission</code> must be instantiated for each
         * <tt>url-pattern</tt> in the deployment descriptor and the default
         * pattern "/", that is not combined by the
         * <tt>web-resource-collection</tt> elements of the deployment
         * descriptor with ever HTTP method value. The permission objects must
         * be contructed using the qualified pattern as their name and with
         * actions defined by the subset of the HTTP methods that do not occur
         * in combination with the pattern. The resulting permissions that must
         * be added to the unchecked policy statements by calling the
         * <code>addToUncheckedPolcy</code> method on the
         * <code>PolicyConfiguration</code> object.
         */
    for (URLPattern pattern : allSet) {
        String name = pattern.getQualifiedPattern(allSet);
        HTTPMethods methods = pattern.getComplementedHTTPMethods();
        if (methods.isNone()) {
            continue;
        }
        addOrUpdatePattern(uncheckedResourcePatterns, name, methods, URLPattern.NA);
        addOrUpdatePattern(uncheckedUserPatterns, name, methods, URLPattern.NA);
    }
    if (!allMap.containsKey("/")) {
        URLPattern pattern = new URLPattern("/", Collections.<String>emptySet(), false);
        String name = pattern.getQualifiedPattern(allSet);
        HTTPMethods methods = pattern.getComplementedHTTPMethods();
        addOrUpdatePattern(uncheckedResourcePatterns, name, methods, URLPattern.NA);
        addOrUpdatePattern(uncheckedUserPatterns, name, methods, URLPattern.NA);
    }
    // Create the uncheckedPermissions for WebResourcePermissions
    for (UncheckedItem item : uncheckedResourcePatterns.keySet()) {
        HTTPMethods methods = uncheckedResourcePatterns.get(item);
        String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType());
        policyContext.getUncheckedPermissions().add(new WebResourcePermission(item.getName(), actions));
    }
    // Create the uncheckedPermissions for WebUserDataPermissions
    for (UncheckedItem item : uncheckedUserPatterns.keySet()) {
        HTTPMethods methods = uncheckedUserPatterns.get(item);
        String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType());
        policyContext.getUncheckedPermissions().add(new WebUserDataPermission(item.getName(), actions));
    }
}
Also used : WebResourcePermission(javax.security.jacc.WebResourcePermission) WebUserDataPermission(javax.security.jacc.WebUserDataPermission) HashMap(java.util.HashMap) Map(java.util.Map) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) HashSet(java.util.HashSet)

Example 10 with WebResourcePermission

use of javax.security.jacc.WebResourcePermission in project Payara by payara.

the class MapValue method handleRoles.

static void handleRoles(HashMap<String, Permissions> map, MapValue m, String name) {
    HashMap<String, BitSet> rMap = m.getRoleMap();
    List<String> roleList = null;
    // handle the roles for the omitted methods
    if (!m.otherConstraint.isExcluded() && m.otherConstraint.isAuthConstrained()) {
        roleList = m.otherConstraint.roleList;
        for (String roleName : roleList) {
            BitSet methods = m.getMethodSet();
            // reduce ommissions for explicit methods granted to role
            BitSet roleMethods = rMap.get(roleName);
            if (roleMethods != null) {
                methods.andNot(roleMethods);
            }
            String actions = null;
            if (!methods.isEmpty()) {
                actions = "!" + MethodValue.getActions(methods);
            }
            addToRoleMap(map, roleName, new WebResourcePermission(name, actions));
        }
    }
    // handle explicit methods, skip roles that were handled above
    BitSet methods = m.getMethodSet();
    if (!methods.isEmpty()) {
        for (Map.Entry<String, BitSet> rval : rMap.entrySet()) {
            String roleName = rval.getKey();
            if (roleList == null || !roleList.contains(roleName)) {
                BitSet roleMethods = rval.getValue();
                if (!roleMethods.isEmpty()) {
                    String actions = MethodValue.getActions(roleMethods);
                    addToRoleMap(map, roleName, new WebResourcePermission(name, actions));
                }
            }
        }
    }
}
Also used : WebResourcePermission(javax.security.jacc.WebResourcePermission)

Aggregations

WebResourcePermission (javax.security.jacc.WebResourcePermission)10 WebRoleRefPermission (javax.security.jacc.WebRoleRefPermission)4 WebUserDataPermission (javax.security.jacc.WebUserDataPermission)4 Permission (java.security.Permission)2 Permissions (java.security.Permissions)2 HashMap (java.util.HashMap)2 HashSet (java.util.HashSet)2 Map (java.util.Map)2 MBeanPermission (javax.management.MBeanPermission)2 EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)2 SecurityContext (com.sun.enterprise.security.SecurityContext)1 MalformedURLException (java.net.MalformedURLException)1 URISyntaxException (java.net.URISyntaxException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PermissionCollection (java.security.PermissionCollection)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 Set (java.util.Set)1 PolicyContextException (javax.security.jacc.PolicyContextException)1 SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)1